Jump to content

How to handle WAF Rules for me as a SecDevOps engineer and thoughts and challenges in Enterprise Environments as we transition to cloud.

Kai Thorsrud

Recommended Posts


I do complete terraform deployments with more or less all features available.

I have developed seperate Modules that

  • Deploys a Netscaler in azure
  • Configure an entire netscaler according to best practise (With A+ ssllabs)
  • Deploy Botnet Protection
  • Deploy WAF
  • Deploy OAuth 2.0 v2 MSAL for applications
  • Deploy a web application (or any application with any protocol with or without custom monitors)
  • Deploy OAuth 2.0 v2 MSAL JWT with Token Cache so i can protect legacy API´s as a modern API Gateway
  • Deploy CAG for XenApp / XenDesk with SAML to connect with Storefront+FAS
  • Handle Certificates for all Applications and updating them as they change

My upcoming challenge will be:

  • How to handle WAF Rulesets for persistent deploys.
  • In a Blue/Green or Canary Environment i need to be able to handle rules (beeing learned data) using code to have a consistent ruleset


Beeing able to deploy WAF rules using code is a big plus as independent audits and revisioning of our internet exposed infrastructure becomes possible.

Zero Trust is the key for me. Nothing enters our network w/o proper authentication from Azure. Once Authenticated and Authorized WAF+BotNet = key.

Do you have any advice on how to solve these challenges ? In a real life enterprise scenario this is a challenge to solve. Netscaler is a big business enabler for enterprises since all code cannot be refactored easily. Such a migration is a 5-10 year challenge. Netscaler really bridges the gap in a hybrid environment

Link to comment
Share on other sites

Hi and thank you for your time to answer me.

I need help with this.. This is not supported by your terraform provider. See link in the bottom of this post

I was supposed to have a meeting with Konstantinos Kaltsas where i wanted to demonstrate how cool Netscaler can actually be in large real life scenarios.

We scheduled meetings 3 times and every time i had to cancel because i am so busy with work. Now i am even more busy,

This post is the best i am able todo.

(I code,sleep,eat,workout to get stronger and stronger,family, repeat)


Link to comment
Share on other sites

  • 2 weeks later...

Hi Kai, is Dynamic learning client not what you are looking for?

I read the post on github, and from my understanding of it, you are contradicting your self, you want persistent configuration steps of the learned data, but learned data is dynamic, so how would you store that in a persistent world?

I am like the others, also a little bit lacking exactly what is missing.

Link to comment
Share on other sites

  • 4 weeks later...

Hi morten. A pure dynamic learning client creates ineffective rules, duplicate rules and also if you have an infected client you can feed the WAF with security issues.

Furthermore in real life scenarios whenever i use dynamic learning clients the ns.logs will fill up with dynamic learning client detecting new rules and whenever the NS tries to add the rule Netscaler will report "Rule Already exisists".

Dynamic Learning is not mature yet.

Typically what i do is to construct manual WAF Rules because they are more effective than dynamic rules. i.e take a swagger definition and create rules from that, then use knowledge of HTTP, HTML, my SANS Certifications on redteam/blueteam work to implement rules.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...